1. Field of the Invention
The invention is generally related to security of data storage, and more particularly to security of data storage in a distributed network, such as the Internet. Also, the invention is related to control of access to data stored in a distributed storage system.
2. Related Art
In recent years, electronic storage of data has been moving from being stored on a single computer with a hard drive to various forms of distributed storage. Any conventional distributed storage system requires a mechanism for giving users access to the data. Therefore, the question immediately arises: what kind of access? A number of different types of access are possible. For example, a user could have “read” access to data, “write” access to data, administrative access (where the user has permission to specify which other users have access to the data, and what kind of access), etc. Depending on the operating system, the particular access control scheme may be relatively simple, or may be much more complex, for example, involving access control lists, etc. In 1983, the U.S. Department of Defense published the first access control criteria as the Trusted Computer Security Evaluation Criteria (TCSEC), more popularly known as the “Orange Book,” whose current version is dated 1985. The U.S. Federal Government Criteria were drafted in the early 1990s as a possible replacement, but were never formally adopted. Other standards are also known, which are essentially directed to various implementations of access control in a distributed storage system.
The security of an operating system is conventionally accomplished through the implementation of a “trusted area,” which can be modified only by those users who a priori have access to the trusted area. These trusted users, in turn, can define permissions and control access of other users to the data of the system. Thus, for example, consider the situation of a server, and of a user requesting certain information from the server. The server compares the request for the data with what it knows to be the access privileges of that user, and either fulfills the request by delivering the data to the user, or rejects the request. This is done based on some characteristics of the user, which is another way of framing the access control problem encountered by the server. At the same time, it is assumed that the server itself “exists,” or “lives,” in a trusted area, since if the server code were available to the public, any user could arbitrarily modify his own access control parameters, and then access any data on the server.
The fact that the server has to “live” in a trusted area implies that there exists a “someone” whose job it is to administer the security of the server. For example, there may be a person whose job it is to maintain the database of authorized log-ins into the trusted area of the server.
There are important differences between a corporate distributed network, such as a LAN or a WAN and a very large distributed network, such as the Internet. One of the most important differences is the fact that there is no single owner of the Internet. A LAN or a WAN is owned by, for example, a corporation, or is managed by an Information Technology department, which is in charge of administering security and access control for the LAN, and therefore, of the data stored on the LAN. For example, the IT department is usually in charge of adding users, deleting users, defining the access control rights of the users, etc. Because the Internet, unlike a LAN, does not have an owner, the security aspects of data storage are considerably more complex.
On the Internet, the access control problem is usually solved in a different manner. The user (typically using a client, such as a web browser) declares certain information about himself. This information is transmitted to a webserver, which in turn decides whether this particular user has access, and to what data. A log-in is the most common way of accomplishing access control to non-public data on the Internet.
However, the only reason that the webserver can know whether a particular user has, or does not have, access to restricted data is because someone previously “told” the server that this particular user has access. As noted above, that “someone” does not own the Internet, and does not own most of the nodes through which the information between the user and the server has to be transmitted. This problem exists for any decentralized distributed system that does not have a single owner.
The security requirements for the routers between the client and the webserver are relatively weak. Usually, the only requirement is that the router be able to transmit data formatted in the TCP/IP protocol. In other words, in the highly decentralized network example of the Internet, it is impossible to insist on security of the transmission path between the client and the server, and therefore impossible to assure that information relating to access control will remain secure.